AO-A07<»  614  ADVISORY  GROUP  FOR  AEROSPACE  RESEARCH  AND  OEVELOPMENT--ETC 
INTEGRITY  IN  ELECTRONIC  FLIGHT  CONTROL  SYSTEMS. (U) 

JUL  79  PR  KURZHALS*  R  ONKEN 
UNCLASSIFIED  AGARD-AR>136 


I  OP  I 

^074614 


F/6  l/% 


NL 


END 

OATf 

FIlMfD 

11-79 

DOC 


AGARD-AR-136 


AGARD-AR-136, 


^  ■ 
rH 

'D  - 

O 

I 


Q. 

O 

<L? 


ADVISORY  GROUP  FOR  AEROSPACE  RESEARCH  &  DEVELOPMENT 


7RUEANCELLE  92200  NEUILLY  SUR  SEINE  FRANCE 


AGARO  ADVISORY  REPORT  No.  IM 

Integrity  in  Electronic  Flight  Control 

Systems 


OOSr. 


““"opd 


Y»a» 


DISTRIBUTION  AND  AVAILABILITY 
ON  BACK  COVER 


79  10 


O 

U  ^ 


I?  1. 2 


/  1  AGARD-AR-i; 


NORTH  ATLANTIC  TRLATY  ORGANIZATION 
ADVISORY  GROUP  FOR  ALROSPACE  RESEARCH  AND  DEVELOPMENT 
(ORGANISATION  DU  TRAITE  DE  L’ATLANTIQUE  NORD) 


JJ 


AGARD  Advisory  Report  No.  136 

TT)  INTEGRITY  IN  ELECTRONIC  FLIGHT  CONTROL^YSTEMS  « 

-'Otjf.f4“rzhals  r-.  , 

Director  ^  z 

Guidance  Control  and  Information  Systems  Division 
National  Aeronautics  and  Space  Administration 
Washington,  DC  20546 

USA  '''  .. 


Dr  Ing  R.Onken 
DFVLR 

Institut  fur  Flugfiihrung 
Flughafen 

D-3300  Braunschweig 


^  •*  t  , 


for  pub'ir 

distribulion  is  unhiahed- 


iH  <if  p’-C'ved 
.<«•>;  ilD 
1. 


This  Advisory  Report  was  sponsored  by  the  Guidance 


and  Control  Panel  of  AC'iARD, 


rut  MISSION  oi  \c;aki) 


Ihc  miNsion  ol  AllAKI)  i%  to  hriiitt  loKothcr  tin-  liMiliim  porsoiijlitH>  ol  ilu'  NA  H)  iialioiis  in  llu-  Iu  KIn  oI  mk  iki- 
ami  tivlinology  ri'lating  to  aoiONpacc  tor  the  tbIloMing  purposes 


I  xehangiiiit  ol  seieiititW  ami  teehnieal  inl'oniiation. 


(  oiilimiously  stiimilating  advaiiees  in  the  aeiospaee  seiemes  relevant  to  stiengtliening  the  eoininon  ileleme 
posture. 

Improving  the  eo-operation  among  memher  nations  m  aerospaee  reseaivh  ami  ilevelopment . 

I’rovulmg  seientilic  ami  leehimal  ailviee  ami  assistance  to  the  North  Atl.mtu  Militaiy  t'ommittee  m  the  tiehl 
ol  aerospaee  research  ami  ilevelopment, 

Kemlering  scientilic  ami  technical  assistance,  as  reipiesleil,  to  other  NA  K)  boilies  ami  to  memher  nations  m 
connection  with  research  ami  ilevelopment  problems  m  the  aerospace  I'lehl, 

I’roviilmg  assistance  to  member  nations  lor  the  purpose  ol  increasing  their  scientilic  anibtechmcal  potential, 

Kecommenilmg  eUective  ways  lor  the  member  nations  to  use  their  reseaich  ami  ilevelopment  capabilities  lor 
the  common  benelit  ol  the  NAll)  communily. 

Ihe  highest  aiilhorily  within  Ad.ARl)  is  the  National  Delegates  Moaril  consisting  ol  otiicially  appomleil  senioi 
representatives  Irom  each  member  nation  Ihe  mission  of  AtiARI)  is  carried  out  through  Ihe  1‘anels  which  are 
composed  ol  experts  appointed  by  Ihe  National  Delegates,  Ihe  (  onsultant  and  I  xchaiige  I’rogianime  and  Ihe  ,Aerospace 
Applications  Studies  Programme  I  he  results  ol  AliARD  work  are  reported  to  Ihe  member  nations  and  the  NA  K) 
.Authi'rities  through  Ihe  AtlARD  series  ol'  piiblicalions  of  which  Ihis  is  one. 

rarticipation  m  ,A(i.ARD  aclivilies  is  by  mvilatioii  only  and  is  normally  Imiiled  to  citi/ens  of  Ihe  NATO  nations. 


I  he  conleni  of  this  publication  has  been  reproduced 
direclly  from  m.iterial  supplied  by  Afi.ARD  or  the  aiilhors. 


Published  .Inly  l'>’'> 

t  opyrighi  i'"'  AfiARD  l'> 
Ml  Rights  Reserved 

ISIIN  x.'^s.l.-i.l  .l^'i-tl 


I'rDih  il  /’I  h-i  hnii\il  I  Jiiiiif!  ,i>ij  Ki'/frotliii  liiifi  I  ij 
Ihrforil  lliiiisf.  ’  y  (  '/Mr/orfc.Vf. /om/on.  Wlt'inn 


fONIKNIS 


AHSI  R  U  I 

IMKODIK  MON 

t  I  KRI  Nl  SI  VI  US 

IIKill  Rl  1 1 AHILII  Y  AITRO  Al  III  S 

SOI  lAVARI  IMI'I  K  AllONS 

1  Kill  I  NINt;  C ONSini  RA  I  IONS 

lAii  liRt  DhiK  HON  Ml  moos 

IliniRI  IRhNDS 

t  ON(  LUDINc;  Rl  MARKS 

RH  tRKNt  I  S 


,  BV- - 

UvaVV 


1 


INTEGRITY  IN  ELECTRONIC  FLIGHT  CONTROL  SYSTEMS 


P.  R.  KURZHALS  and  R.  ONKEN 


ABSTRACT 


With  the  increased  use  of  electronic  flight-control  systems  for  better  aircraft  performance 
and  cost-effectiveness,  development  and  test  techniques  which  can  insure  the  integrity  of 
such  systems  have  become  critically  important.  Rapid  advances  in  solid-state  electronics 
have  permitted  a  hundred-fold  decrease  in  control  computer  size,  power  and  cost  over  the 
past  two  decades.  Designers  have  capitalized  on  these  gains  primarily  by  incorporating 
additional  control  functions  to  improve  aircraft  capabilities.  Resulting  control  systems 
have  become  very  complex  and  reliability  requirements  have  mushroomed.  This  paper 
summarizes  the  evolution  of  these  requirements,  outlines  the  current  status  of  flight 
control  reliability,  and  highlights  promising  methods  of  achieving  integrity  in  future 
flight  control  systems. 


INTRODUCTION 

While  reliable  control  of  the  flight  path  has  been  man's  primary  concern  since  the  concep¬ 
tion  of  the  airplane,  modern  flight  control  really  came  into  its  own  with  the  automatic 
flight  control  systems  introduced  after  World  War  II.  With  the  advent  of  the  jet  engine 
and  the  attendant  extension  of  the  flight  envelope  and  airplane  configuration,  designers 
increasingly  turned  to  the  control  engineer  for  help  in  the  solution  of  the  multitude  of 
problems  brought  on  by  this  new  phase  of  flight.^ 

Beginning  with  the  early  all-electric  autopilots  and  the  first  demonstration  of  automatic 
flight,  resultant  control  advances,  led  by  electronic  technology  gains,  have  revolutionized 
flight  control  functions  and  mechanizations  over  the  past  three  decades.  Replacement  of 
mechanical  linkages  by  computer  modules,  and  the  subsequent  miniaturization  of  these  modules, 
have  provided  the  potential  for  control  systems  volume  and  weight  reductions  of  nearly  two 
orders  of  magnitude.  Figure  1  shows  the  impact  of  these  electronic  advances  for  a  repre¬ 
sentative  autopilot  subassembly . 2  A  typical  195a  subsystem  with  about  950  cubic  centimeters 
of  circuit  cards  could  -  in  1968  -  be  produced  as  two  microelectronic  modules  having  a 
volume  of  less  than  50  cubic  centimeters.  By  1973,  hybrid  design  concepts  reduced  the 
volume  of  these  modules  to  less  than  10  cubic  centimeters.  In  practice,  much  of  this 
potential  has  been  used  to  add  new  flight  control  system  functions  aimed  at  further 
improving  aircraft  performance. 

As  a  result,  flight  control  applications  have  evolved  from  simple  pilot-relief  autopilots 
to  flight-critical  and  redundant  fly-by-wire  and  active  control  systems.  To  assure  the 
integrity  of  these  systems,  more  hardware  had  to  be  added  to  achieve  the  reliability 
needed  for  flight  safety.  Figure  2  illustrated  this  evolution  in  complexity.^  Early 
added  control  system  functions,  such  as  command  augmentation,  could  be  accommodated  with 
a  single,  non-redundant  channel.  As  new  functions  were  adopted  and  the  pilot  became  more 
dependent  on  these  functions,  in-line  monitors  were  included  to  check  the  system  integrity. 
For  flight-critical  implementations  which  required  accommodation  of  inflight  failures, 
additional  levels  of  redundancy  were  incorporated  to  provide  fail-safe  and  fail-operative 
performance.  Redundancy  management  electronics  which  provided  the  circuitry  for  accuracy 
enhancement,  fault  isolation,  fault  reporting  and  built-in  test  rapidly  became  the  dominant 
part  of  the  system.  The  related  growth  in  complexity  has  led  to  a  twenty-fold  increase 
in  the  number  of  system  elements.  Flight  control  system  reliability  requirements  have 
increased  at  an  even  faster  pace  and  are  now  comparable  to  those  for  the  primary  structure. 
As  represented  in  Figure  3  by  the  probability  of  computer  systems  failure  for  a  10  hour 
flight  period,  this  increase  spans  some  six  orders  of  magnitude  over  the  past  20  years. 
Failure  probabilities  of  less  then  10“®  per  flight  hour,  projected  for  the  flight-critical 
control  systems  of  the  next  generation  of  aircraft,  thus  present  a  major  and  relatively 
unexplored  challenge  to  the  flight  control  system  designer. 


CURRENT  STATUS 

The  current  status  of  flight  control  systems  reliability  can  best  be  assessed  by  reviewing 
the  performance  of  state-of-the-art  avionics  hardware  through  the  analysis  of  a  quantifiable 
parameter  such  as  MTBF  (Mean  Time  Between  Failures) .  One  such  study^  assessed  some  98 
different  types  of  avionics  equipment.  Over  1.2  million  aircraft  failures  observed  during 
more  than  a  million  flight  hours  were  included  in  the  analysis.  Avionics  subsystems  were 
found  to  be  involved  in  more  aircraft  failures  than  any  other  aircraft  subsvstem,  with 
the  proportion  of  avionics  failures  to  total  failures  ranging  from  27%  for  helicopters  to 
52%  for  supersonic  fighters.  Avionics  subsystems  were  found  to  experience  one  failure 
every  2.8  flight  hours,  on  average.  As  shown  in  Figure  4,  only  45%  of  the  failures  studied 
were  traceable  to  specific  hardware  and  software  causes.  The  remaining  55%  were  classified 
either  as  hardware  failures  with  unknown  causes  (26%)  or  as  an  anomaly  (29%)  ,  defined  as 
any  failure  which  could  not  be  verified  in  maintenance  checkout.  For  equipment  procured 
under  contracts  which  included  an  MTBF  specification  as  part  of  the  over-all  design  crite¬ 
ria,  less  than  25%  of  the  specified  MTBF  was  actually  achieved  in  the  field.  Even  so. 


Mriif  ;i  wt'ic  fiiwhoi  l^y  of  1.4  in  «*i|iiipmt‘nt  proouroil  iinilt*r  oontraot.s  oon  t  a  i  n  i  n.| 

•in  MTliK  spool  f  ii-at  ton  t  h.in  in  oqiiipmont  proourod  with  no  MThK  spoc  i  f  io.it  t  on . 

Tho  diftioultios  in  aohiovina  spootfiod  i  oV  i  .abi  I  1 1  y  standards,  and  in  diaanosina  tailiiios 
in  modoin  avionios  o.|uipniont,  lunioisooro  tho  nood  tor  roliablo  dosian  oono.-pt  s  and  mot  hods 
foi  tutni.'  airor.itt  tliat't  oontn'l  systtans. 


nu;ii-Ki:i,iAnn.ri'Y  Ai'i’itoAdiif  S 

Miah-intoarity  fliaht  oontrol  systoms  must  achiovo  roauiroil  roliability  standards  whil.> 
m.iintainina  an  appropriato  balanoo  aimma  tho  oomp.'t  ina  factors  of  cost  ,  sohodulina,  and 
porform.inoo.  Thus,  ro  1  i  .il>  i  1  i  t  y  shcaild  bo  an  inht>n'nt  oliaiiont  of  tho  total  do.sian  .ipproaoh, 
with  rosponsil'i  1  ity  for  att.iinina  ostal'lishod  roliability  aoals  assianod  (and  acooptod) 
oarly  in  tho  oonooptual  st.uios  of  dosian.  ny  addrossina  tho  ipiost  ion  of  hiah  systom 
roliability  throuahont  tho  dosian  process,  many  rosourcos  (both  dollars  and  hoursi  can  bo 
saved  which  would  otherwise  have  to  bo  devoted  to  a f t or- t ho- fact  dosian  alterations.  Tho 
fail-and-fix  approach  to  system  r*' 1  iah  i  1  i  t  y  ,  inhorontly  iiiotficiont  in  aonoral,  is  partic¬ 
ularly  inofti'Ctivo  in  oliminatina  those  dosian  problems  which  n-sult  in  relatively  intro- 
auont  f.iilnros.  This  is  especially  relevant  for  future  complex  avionics  .ind  fliaht  cont  rol 
mochan i ihit ions ,  which  are  characterized  by  thousands  of  potential  failure  modes,  none  of 
which  may  rope, it  often  enouah  to  .issure  their  elimination. 

dons  iderab  to  dosian  and  test  t'xperience  for  such  analoii"*  and  diaital'’’*’  fly-by-wire  fliaht 
control  systems  has  been  obtained.  Piaure  S  illustiates  a  repi esent at i ve  advance. i  fliaht 
control  system,  the  .liaital  fly-by-wire  system  iievelope.1  aiut  teste.t  by  NASA  on  an  K-8 
aircraft.  Typical  elemi'iits  of  such  a  system  include  sensor  mo.lules  to  .ieterniine  the  air¬ 
craft  stati'  and  t'rrors  from  a  desire.i  path,  processina  elect  r.'nics  an.l  networks  to  aeneiate 
the  necessary  control  conmiaiu'.s ,  an.i  actuators  to  drive  the  aircraft  control  surfaces. 
Reliability  characteristics  for  each  of  these  el.'ments  an.l  f.ir  th.'  tot.il  system  must  be 
consi.iere.l  to  assure  a.ie.]uate  fliaht  control  intearity. 

Sensors 

Accelerometei  s  ,  .iyros,  an.i  .1  i  f  ferent  i  a  1  transformers  are  the  mi’st  commonly  use.!  sensors 
in  .lutom.itic  f  1  i.|ht -cont  rol  systems.  Siniv  set  v.^nul  le.1  linear  .icce  leri‘'met  e  rs  an.l  linear 
variable  .1  i  f  ferent  ia  1  transformers  have  well-established  recot.is  for  reliability  and  ar.' 
likely  to  continue  to  be  used  in  h  i  ah  1  y- re  1  iab  1  e  fli.iht  control  .ippl  i.'at  ions  in  t  h.'  future, 
the  .ire.itest  improvements  in  sensor  reli.ibility  will  probably  b.'  ma.le  in  .inaular  r.ite 
sensors.  Spin  motor  and  bearina  failures  account  for  most  rate  avro  failures;  it  is 
th.'iefore  likely  that  future  hiahly  reliable  .'ontrol  systems  will  filature  anaulat  rate 
sensors  which  .to  not  employ  these  components.  Rin.r  laser  .ryn^s  .in.l  m.i.tnetohy.ir  ('.iyn.imi .' 
rate  sensors  are  currently  bein.i  .lesi.rne.i  to  alleviate  this  prul'lem.  These  sensors 
achieve  hiah  reliability  by  minimizina  many  of  the  w.'arout  mii.t.'s  cause.!  by  nu'vina 
mech.inic.il  p.irts. 

Iliaher  reliability  can  .ilso  be  .ichieve.i  by  applyin.)  sk.'we.l  s.'us.'i  t  I'.-hn  i  .pu'S  t .'  re.iuce 
the  number  of  rate  .iyros  re.iuire.l  in  a  .jiven  fliaht  contr.'l  system.  In  .i.i.iiti.'ii  t  .■> 
increasin.i  re  1  i  .it' i  I  i  t  y  by  re.tucin.i  t  h.'  number  .’f  parts  wh^.'h  .-an  fail,  the  skewe.l  sensor 
■ippro.ich  results  in  savin.is  of  wei.iht,  p.-iwer,  .in.l  volum.’. 

■Another  appro.ich  uses  analytic  re.iun.iancy  inste.i.i  .-.f  r.'.iun.iant  s.-nsor  har.tware.  This  is 

acc.imp  1  i siu'.l  l.y  exploit  in.i  the  kn.'wle.iae  .ib.'ut  the  .lir.'iaft  .iynamics  an.l  couplin.i  of  the 
.lircr.ift  St  .It  e-v.'ctor  .•.imp.’nent  s  f.ir  the  impl  emen  t  .it  i  .''n  of  .'bs.'rv.'i  filters  whi.'h  pr.’vi.l.' 
a.l.i  i  t  ion.i  1  inform.it  ion  ab.-nit  I  h.'  aircraft  st.ite.  t'y  use  ot  t  ht-  observ.'r  sianals,  tailure 
.letection  .in.l  votina  .'.in  be  .'.isily  .i.-hieve.l  an.f  t  lie  numt'ei  of  s.'ns.'i  .levi.'es  .-.in  be 
re.iuce. 1  without  re.tucin.i  r.' 1  i.ib  i  1  i  t  y  . 

KJect  ron  i.'s 

rtit  en  i  t  .iX  r.' 1  i  .lb  i  1  i  t  y  pr.ibl.'ms  c.iusi'.l  by  .h't  .'.'t  i\*t'  1  .'.’t  rr.!!  i .'  .'.■'mp..iU'nt  s  .'an  b.'  minimiz...! 

by  in.'orporat  in.l  .'ompon.'nt  re.hirul.uu'y  into  the  .lesi.in  pr.'.'i'ss.  .Si.me  .Ir.iwb.i.'ks  t t  h.' 

.'.impoiu'tit  re.lun.l.incy  mt'tlu..!  slunil.t  be  biirne  in  min.t,  h.'.wt.v.'r.  The  nv'St  .'.bvi.'us  .litti- 
culties  .ire  .lui>  to  t  h.'  in.-re.is.'  in  (i.u  t  s  .'.Mint  inlu'r.’nt  in  this  .ippr.'.u'h.  A.l.i  i  t  i  .■'ii.i  1 
p.irts  rt'sult  in  i lu'rt'.ist'.l  .siz.',  w.'i.iht  ,  .'..st  ,  pow.'i  .'..nsumpt  i.'ii  .in.l  p.'W.m  li.ss.'-s,  .ill  .'t 
which  a.l.i  un.iesirabte  an.i  soim-t  iiiu's  unne.'essary  .'.'mp  1  i  .'.it  i  .'ns  t .'  1  h.'  t.'tal  .lesian  pr.'.-ess. 
Purt  hernu're  ,  siu'ct'.ss  t  u  1  I'xp  1  o  i  t  .it  i  I'li  of  the  .'I'mp.'nent -r.'.lun.l.in.'y  .ippr.'.i.'h  r.'.liiirt's  .i 
I'ert.iin  .iniount  of  .i  priori  i  n  f  .'rm.it  i.'ii  ab.'ut  t  h.'  f.iilur.'  iiux'h.mism  whi.-h  is  t .'  b.'  .-limin- 
ate.i.  Por  .'xample,  .'lie  w.'ul.l  pti'b.ibly  .ipply  .i  p.ir.ill.'I  .irr. in. lenient  of  r.'.iun.l.int  .-.'mp.'n.'nl  s 
if  t  In'  m.'St  lik.'ly  tailure  wen'  an  .'pen  .'ircuit,  whil.'  sh.'it  cii.'uils  .in'  b.'tt.'i  a.'c.'unt  .'.1 
fill  by  .1  r  r  iin.i  i  ini  .'omp.'n.'iit  s  in  s.'iii'S.  A  n'l.it  iv.'ly  .'.'iiipl.'X  .i  r  r.in.i.'men  t  <'t  i  .'.hin.l.in  t 
.'oniponi'ii  t  .s  is  r.'.piiit'.i  to  pr.'t.'.’t  .i.i.iinst  .ill  p.'ssibl.'  .'.'mb  i  n.i  t  i  .'iis  .'t  .'.'iiip.'n.'nt  t.iilun's. 
Pi. Hire  ('  i  1  1  list  rat  .'s  the  probt.'m  t.i.'in.i  the  .tesi.in.'i  wtu'ii  h.'  uses  re.iun.iancy  t .'  pr.'t  .'.-t 
.i.i.iinst  I'omp.'iu'nt  t.ii  lures  in  ei'e'ii  .i  .siniplt'  .ipp  1  i  .'.it  i  t'li .  Ki'li.ibl.'  i  n  t  t'rm.it  i.'ii  .ib.'ut 
pr.'bable  f.iiliire  mo.les  is  .lifti.'iilt  enou.ih  t .'  .'bt.iin  .ifter  .i  failuii'  has  .'ccurre.l:  it  is 
th.it  much  mot.'  .lifticult  to  .i.'iu'i  .me  su.'h  in  f. 'im.it  ion  in  .in  .i  t'liori  tashi.'ii  .iurin.i  t  h.' 
.i.'sian  sta.ie. 

Tin-  problems  .issoc  i  .it  >-.1  with  .h'finin.i  .i  pri.'ii  t  h.'  m.'st  lik.'ly  .'.'mv'.'ii.'nt  l.iilur.'  m.'.i.'S 
.'.in  b.'  .' 1  i  m  i  n.it  .'.1  by  .ipplyin.i  t  h.'  r.'.lun.l.in.'y  iiu't  h.'.l  .'ii  .i  syst.'m  l.'i'.'l  in  whi.'h  .iny 
f.iilur.'  in  .i  prim.*  syst.'m  i.'.sults  .luti'm.it  i.'.illy  in  .i  shut -.l.'wn  .'t  t  h.'  prim.'  syst.'iii  .in.l 
.1  s  i  mu  1 1  .in.'ou.s  sw  i  t  I'h  t .'  t  h.'  t  irst  .'t  .'ii.'  .'r  m.'i.'  b.i.'k-iip  syst.'ms.  bubsyst.'m  i  .'.lun.l.in.  i 
ent.iils  till'  s.im.'  t  un.l.im.'iit  .i  1  r.'st  i  i.'t  ions  .is  I'.'mp.'n.'tit  r.'.lun.l.in.'y  ( i  n.'i  .'.i.s.'.l  si.'.',  w.'i.iht  , 
cost)  but,  .IS  .lisciissi'.l  .'.irli.'r,  l.'.i.ls  t .'  an  enormous  incn'.ise  in  syst.'m  ci'niplexily 


and  sophistication.  In  addition  to  providing  in  the  backup  system  or  systems  all 
the  functional  capabilities  of  the  prime  system,  it  is  also  necessary  to  incorporate  some 
means  for  detecting  prime  system  failures  in  real-time  and  for  switching  from  prime  to 
back-up  systems.  Currently  research  is  being  sponsored  at  several  places  to  develop  the 
technology  of  fault-tolerant  computer  systems  for  application  where  extremely  high 
reliability  is  required,  with  both  hardware  and  software  methods  being  investigated.^'^® 

The  fault-tolerant  computer  used  in  future  flight-control  applications  will  be  capable  of 
detecting  computer-system  errors.  It  will  further  be  able  to  assess  the  error  and  take 
corrective  action  as  appropriate.  For  example,  the  highly-rel iable  computer  will  be 
capable  of  altering  its  internal  processing  procedures  through  reconfiguration  to  bypass 
the  fault  which  has  been  detected.  The  application  of  such  fault-tolerant  techniques 
will  eventually  allow  the  power  of  real-time  computer  processing  to  be  applied  even  in 
flight-critical  applications. 

Actuators 

Hydraul ic  actuators  are  used  extensively  in  highly  reliable  flight-control  systems  and 
reliability  is  achieved  through  the  application  of  advanced  technology  at  both  the  compon¬ 
ent  and  the  system  level.  On  the  component  level,  improvements  which  continue  to  be  made 
in  hydraulic  fluids,  tube  connectors,  tube  materials,  seals,  and  filtration  techniques 
will  ultimately  result  in  enhanced  reliability  for  the  entire  flight  control  system.  New 
system-level  technology  under  consideration  includes  high-pressure  fluid-distribution 
systems  to  achieve  substantial  reductions  in  space  and  weight  with  improved  maintainability 
and  reliability.  Integrated  actuators,  capable  of  positioning  the  control  surface  directly 
from  an  electrical  command,  will  likely  be  a  part  of  future  highly  reliable  control  systems. 

Reliability  in  actuator  systems  is  often  achieved  by  the  application  of  various  redundancy 
methods.  The  multicylinder  hydraulic  actuator  is  in  widespread  use  and  is  found  in  a 
large  number  of  configurations.  Dual  and  triple  designs  o'  tandem  cylinders  have  been 
built,  as  have  multiple  single  cylinders,  to  achieve  enhanced  reliability.  Combinations 
of  independent  control  surfaces  operated  by  individual  actuators  are  also  used  to  further 
improve  control  system  reliability . H  For  the  purpose  of  enchanced  failure  detection  in 
redundant  actuators,  digital  or  incremental  technology  can  be  applied  to  the  electro- 
hydraulic  part  of  such  systems. 


SOFTWARE  IMPLICATIONS 

The  importance  of  software  reliability  is  often  underestimated  when  the  question  of 
overall  system  reliability  is  considered.  It  is  assumed  that  software  errors  are  found 
during  debugging  and  testing  and  that  the  probability  that  a  hardware  component  or  sub¬ 
system  will  fail  represents  the  essence  of  the  system  reliability  concept.  Unfortunately, 
errors  in  the  assembly  of  software  code  are  as  likely  to  escape  "final  check-out"  as  the 
design  and  fabrication  shortcomings  which  eventually  lead  to  hardware  failures. 

Figure  7  indicates  the  evolution  of  computer  hardware  and  software  costs.  Note  that  the 
ratio  of  software  costs  to  total  system  costs  is  growing  rapidly.  This  reflects  in  part 
recent  and  projected  decreases  in  the  cost  of  computer  hardware,  but  the  trend  is  also 
due  to  the  growing  size  and  complexity  of  modern  software  operating  systems.  It  is  to 
be  expected  that  this  increase  in  software  sophistication  will  be  accompanied  by  a 
corresponding  increase  in  systems-reliability  problems  associated  with  software  errors. 

The  relative  importance  of  software  reliability  becomes  clearer  when  one  realizes  that, 
in  current  electronic  flight  control  systems,  software  costs  exceed  computer  hardware 
costs  by  a  factor  of  three  to  four  and  that  the  largest  effort  in  developing  software  is 
due  to  the  testing,  correction,  retesting,  release,  recall,  correction,  and  re-release 
of  software.^'*  The  task  of  developing  the  original  code  is  quite  small  in  comparison. 
Figure  8  represents  the  estimated  and  actual  costs  of  developing  software  for  a  represen¬ 
tative  system. 15  This  figure  illustrates  that  software  costs  are  often  unanticipated,  or 
at  best  underestimated,  and  that  considerable  effort  is  routinely  expended  in  the  post¬ 
production  stage  of  system  development  to  correct  software-related  errors. 

The  magnitude  of  this  problem  can  be  further  appreciated  when  one  realizes  that,  while 
the  hardware  designer  has  at  his  disposal  a  wide  range  of  design  methodologies  and  alter¬ 
natives  to  use  in  optimizing  hardware  reliability,  the  software  designer  does  not. 
Historically  his  objective  has  been  limited  to  developing  coding  to  the  point  that  it 
"works";  that  is,  to  the  point  that  the  software  program  consistently  produces  expected 
results  from  a  set  of  known  inputs. 

When  the  concept  of  hardware  reliability  was  originally  conceived,  hardware-systems 
engineering  was  a  well-developed  field.  By  contrast,  the  problem  facing  software 
designers  is  that  coding  is  fundamentally  an  art  form,  with  no  generalized  methodology 
available  for  guidance  in  the  development  of  software. 

.structured  programming  techniques^®  and  standardized  higher-order  languages'^  do  offer 
some  promise  of  segmenting  and  simplifying  future  software  generation.  Compiler  writing 
systems,  first  developed  by  DOD  and  now  being  extended  by  NA.SA,  can  further  aid  this 
process  by  automatically  translating  programs  written  in  a  higher  order  language  into 
machine  language  for  a  candidate  flight  computer.  Used  with  software-reference  libraries, 
which  assemble  commonly-used  software  algorithms  such  as  quadratic  filters,  and  with 
built-in  validation  and  verification  programs,  these  compiler  writing  systems  can  sig¬ 
nificantly  decrease  the  cost  of  the  many  iterations  and  changes  inherent  in  the  design 
of  flight  control  systems. 


4 


I  —  'UR 


Other  software  reliability-assurance  systems,^®  under  development  by  NASA,  will  be 
capable  of  detecting  and  assessing  errors  and  reconfiguring  the  operating  systems  in 
such  a  way  that  the  error  mechanism  which  has  been  detected  is  by-passed.  In  a  parallel 
effort,  a  number  of  reliability  assessment  methods  are  being  designed  to  provide  the 
design  engineer  with  a  yardstick  for  measuring  the  reliability  of  complex  computer 
systems.  An  example  of  such  an  effort  is  the  computer-aided  reliability  analysis  (CARE) 
program  developed  by  the  Langley  Research  Center.^®  This  program  calculates  the  relia¬ 
bility  of  a  given  fault-tolerant  system  model  and  is  currently  being  extended  to  include 
multiply-redundant,  highly-reliable  computer  configurations. 

While  efforts  are  under  way  within  NASA,  as  well  as  in  industry  and  DOD,  to  develop  a 
consistent  software  design  methodology , ^0  progress  in  this  extremely  difficult  and 
complex  endeavor  is  necessarily  slow.  With  the  rapid  advances  now  being  witnessed  in 
the  technology  of  reliable,  solid-state  hardware,  it  is  becoming  increasingly  likely  that 
future  systems  reliability  will  be  paced  more  and  more  by  developments  in  software 
engineering  or  that  much  future  software  will  be  replaced  by  hard-wired  equivalents  or 
firmware. 


LIGHTNING  CONSIDERATIONS 

Flight  control  systems  must  operate  in  an  environment  in  which  severe  electrical  transients 
caused  by  lightning  strikes  are  likely,  if  not  certain,  to  occur.  Lightning  strikes  on 
representative  transport  aircraft  have  occurred  about  once  per  2500  flight  hours. 21  it 
is  important  that  the  designer  understand  the  lightning  threat  and  allow  for  it  in  the 
design  of  avionics  and  flight  control  systems. 

As  illustrated  in  Figure  9,  a  typical  lightning  flash  always  involves  an  entry  point  and 
an  exit  point  on  the  aircraft. 22  Usually  these  points  are  extremeties  on  the  aircraft, 
such  as  the  nose  and  wing  tip.  Each  lightning  flash  is  composed  of  a  number  of  high 
current  strokes,  with  peak  currents  ranging  from  30,000  amperes  for  a  moderate  stroke  to 
around  200,000  amperes  for  a  severe  stroke.  The  total  lightning  event  may  last  from  0.1 
to  1  second,  with  continuous  currents  on  the  order  of  several  hundred  amperes  between 
strokes . 

Lightning  current  flowing  through  the  structural  resistance  of  the  aircraft  produces  a 
voltage  which  can  be  thought  of  loosely  as  an  IR  drop  across  the  structure.  Circuits 
with  multiple  connections  to  the  aircraft  structure  will  have  this  voltage  developed 
across  the  corresponding  terminals.  Such  IR  effects  can  be  countered  by  employing  a 
single  point  ground  to  the  aircraft  frame  or  by  using  differential  wiring  in  which  wires 
are  provided  for  signal  and  power  return  paths  instead  of  the  aircraft  frame. 

Some  insight  into  the  severity  of  the  lightning  problem  can  be  gained  by  reviewing  the 
results  of  electrical  transient  tests  conducted  in  1973  on  the  NASA  F-8  Digital  Fly-by- 
Wire  (DFBW)  aircraft. 

In  these  tests,  simulated  lightning  strikes  at  a  non-destructive  level  of  300  amperes 
were  applied  to  an  early  configuration  of  the  DFBW  aircraft  while  voltage  and  current 
measurements  were  made  in  various  circuits.  Results  of  measurements  at  this  level  were 
then  scaled  up  by  assuming  a  lightning  current  of  30,000  amperes.  Voltages  (for  a 
30,000  ampere  strike)  in  the  range  of  60  to  120  volts  were  determined  in  the  Apollo 
guidance  computer  with  levels  on  the  order  of  200  volts  for  the  power  busses.  Currents 
measured  in  the  wire  bundles  located  in  the  left  gun  bay  indicated  that  up  to  180  amperes 
peak-to-peak  would  be  induced  by  a  30,000  ampere  strike.  Figure  10  illustrates  the 
resultant  distribution  of  current  amplitudes  in  the  cable  bundles.  These  levels,  if  not 
protected  against,  would  exceed  the  typical  10  ampere  peak  current  specified  for  elec¬ 
tronic  flight  control  systems. 

The  designer  basically  has  two  options  for  incorporating  lightning  resistance  into  his 
design.  He  can  attempt  to  insure  that  all  sensitive  circuits  are  contained  within  a 
transient-free  environment  or  he  can  specifically  design  the  system  to  accept  transients 
at  all  terminals. 

The  first  approach  usually  employs  a  Faraday-Cage  grounded  chassis  construction,  with  the 
input  power  carefully  filtered  and  all  wires  connecting  to  other  subsystems  thoroughly 
shielded.  The  details  of  the  second  approach  depend  on  the  specifics  of  the  system 
being  designed,  but  certain  general  practices  include  coupling  transformers  to  protect 
sensitive  circuits  from  common-mode  surges,  balanced  transmission  lines  and  grounded 
shields  on  all  transmission  cables,  and  voltage  clamps  on  signal  leads. 


FAILURE  DETECTION  METHODS 

Failure  detection  is  one  of  the  keys  to  high  system  reliability.  Generally,  failures  are 
detected  at  the  component  level  prior  to  fabrication,  or  at  the  system  level  after  fab¬ 
rication.  Both  failure  detection  methods  will  be  considered  briefly  in  this  section. 

Component  Failures 

Since  the  cost  of  detecting  faults  on  the  component  level  is  1/3  the  cost  of  detecting 
failures  at  the  system  level, 23  the  importance  of  component  failure  detection  cannot  be 
overemphasized.  The  purpose  of  component  testing  is  of  course,  to  screen  out  faulty 
components  in  the  beginning  and  to  gain  some  insight  as  to  how  the  performance  of  a  good 


i.'omponont  will  v.iry  ov«M  its  lif.'timo  .is  it  is  I'xpoa.'.l  to  its  opoi  .it  loti.il  i-iivi  i  oiinuMit  ui 
.1  spooitio  iisiM  t.isk.  As  shown  ui  Ki.iviio  11,  t  ho  pioh.ihi  1  i  t  y  of  f.iiluto  .iooto.isos  with 
t  imo  .hit  111. I  t  ho  111  i  t  i  .1 1  ^.'t  "Inii  ii- i  n"  ph.iso  of  t  ho  oompotiont  s  lifo-timo,  i  <'.i.-h  i  lui  .i 
minimum  const  .int  lovol.*^'  Afti-r  somo  pot  ioii  of  finu-,  t  ho  pioh.ihi  1  i  t  y  of  f.iiluio  ho.iins 
to  incif.iso  with  timo,  roflootin.i  t  ho  infliionoo  of  wo.ii -out  f.iiliiros.  Tho  ossonoo  of 
componont  tostinu  is  to  try  to  pro.liot  tho  p.ir.imot  ors  of  this  oui  vo  for  tho  oomponont 
un.lor  ov.i  lu.1t  ion . 

(.•ompoiuuit  tostin.i  motho.ls  o.in  ho  ol.issifio.i  .is  oithor  .lost  ruot  i  vo  or  non-.iost  ruot  i  vo . 

K.ioh  c.itoqory  inclu.los  onvironmont.il,  physio.il,  .iiul  olootrio.il  tosts.  Kx.implos  of  .lost  i  uo- 
tiv«'  onv  i  ronmi-nt  .1 1  tosts  .iro  opor.it  ion  of  tho  oomponont  to  f.iiluro  un.lor  oxt  romos  of 
humi.iity  or  prossuro,  oi  throuuh  oxposuro  to  s.ilt  spr.iy  or  oorrosivo  solvonts.  In  .los- 
truotivo  physio.il  tosts,  oomponont  s  .iro  inspt'ofoii  .iftor  hoinq  suh-jooto.l  to  r.i.li.il,  .ixi.il, 
.111.1  tonsion  foroos,  .iiul  twistinu  or  hoiulinu  momonts.  Post  ruot  ivo  olootrio.il  tosts 
inolu.lo  tosts  for  volt.i.io  hio.ik.lown  in  .liolootrios  .iiul  insul.itors,  .iiui  tosts  for  input 
protootion  in  olootronio  oomponont  s  susoi'pt  ihlo  to  .i.im.iuo  from  st.it  io  .1  i  soh.ir.jo ,  suoh 
.is  MO.s  int  o.ir.it  0.1  oirouits. 


Tho.  o  .iro  .1  vory  wi.lo  r.in.to  of  non-.lost  ruot  i vo  onvironmont.il  ti'sts  inolu.lin.i  thorm.il 
tosts  which  mo.isuro  oomix'inont  porform.inoo  .it  const. int  tomporuturo  .in.l  in  l.iruo  thorm.il 
.ir.i.lionf  s ,  .iiul  mooh.inio.il  tosts  in  which  oomponont  porform.inoo  is  mo.isuro.l  in  t  hi-  prosonoo 
of  vihi.1t  ion,  .ioootor.it  ion ,  .in.l  moohunio.il  shook. 

Non  ilt'st  ruot  i  vo  pliysio.il  tosts  inolu.lo  lo.ik  tosts  for  hormitioity  .in.l  x-r.iy  tosts  to 
.lotoot  looso  foroi.in  p.irt  iolos  within  .i  oomponont  .issomhly.  Non-.iost  ruot  ivo  olootrio.il 
tosts  .iro  many  .in.l  v.irio.i  .in.l  tho  .lot.iils  of  tho  tost  .lopon.i  on  tho  .-omponont  to  ho 
tosto.i.  In  iionor.ll,  non.iost  ruot  i  vo  olootrio.il  oomponont  tosts  .iro  .iosi.ino.i  t.'  .h-t  ormiiu' 
whothor  tho  oomponont  porforms  .i  spooifio.i  function  .is  tho  roo.ult  of  .i  .livon  input. 

Kx.implos  inolu.lo  tosts  t.->  .iotormino  if  rosist.inoo  .in.l  o.ip.io  i  t  .moo  v.iluos  .no  within 
spooifio.i  tolor.inoo  r.in.ios  .in.l  st.ito  tosts  on  int  our.it  mi  circuit  louio  u.itos. 

.System  K.i i  1  uros 

Tno  f.iiluro  .lotoot  ion  .it  tho  s\-stom  lovol  is  most  import  .int,  .is  it  .iotorminos  t  lio  ofti.-uuu'y 
of  tho  ro.lun.l.inoy  oonoopt  uso.i  in  tho  system.  Two  h.isio  m.i.les  of  f.iiluro  .lotoot  i.ni  h.ivo 
to  he  cons  i.lere.i  touothor,  the  off-line  .lotoot  ion  (pro-f  1  i  uht -t  ost  1  .mil  tho  .m-lino  .iotoo- 
t  ion  liurinu  systom  opi'r.it  ion  (I'uilt-in  tost  1  .  Noth  h.ivo  to  ho  coot  .1  i  n.it  o.l  vory  o.iiofully, 
hoo.iuso  tho  t  h.irouuhnoss  of  t  h.'  tot.il  .lotootion  offort  .iotorminos,  whothor  tho  f.iiluro 
proh.ihility  inoro.isos  from  mission  to  mission  or  whoth.'r  the  proh.ihility  o.in  ho  .issumo.l 
to  st.irt  for  o.ioh  mission  .it  tho  s.imo  lovol. 

It  is  possihlo  to  improvo  systom  roli.ihility  .in.l  .it  tho  s.imo  timo  ro.iuoo  support  cists 
.111.1  turn-.iniun.l  timo  hy  inolu.lin.t  tniilt-in  tost  (I'lT)  o.ip.ihility  in  tho  .lesion  of  .ii.iit.il 
fli.jht  control  systems.  Vi.iuro  1-  illustr.itos  tho  potonti.il  imp.iot  of  lUT  on  systom 
ro  I  i.ihi  1  i  t  y  . 

Thoro  .iro  .i  .iro.it  numhor  .if  h.ir.iw.iro  .in.l  softw.iro  toohni.iuos  .in.l  moth.i.is  t.ir  .m-lin.' 
f.iiluro  .lotootion  .it  tho  .iosionor's  .li  sp'.is.i  1  .  In  or. lor  to  ho  .ihlo  to  iu.ioo  their 
offioionoy  .in.l  their  offo.-t  on  tho  systom  iiito.irity  tho  I'ssonti.il  piinoiplos  .it  t.iiluro 
.lotoot  i.m  .ire  hriofly  .losoriho.l.  K.iiluro  .lotootion  in  ro.il  systom  .lesions  o.in  use  .ill 
possihlo  oomhin.it  ions  of  those  principles. 

Tho  fun.i.imont  .il  .lotootion  principle  which  must  ho  .ipplio.l  in  .ill  o.isos  is  tho  oomp.iris.'ii 
of  siun.ils  which  result  from  funot  i.in.il  ly  o.piiv.ilont  pr.ioossino  units.  Those  sion.ils  .no 
i n.iopon.lorit  1  y  .iorivo.l  from  tho  s.imo  input  si.in.il  .in.l  .no  usu.il  ly  .lopon.lont  on  tho  st.itus 
of  the  process.  Pisorop.inoios  .it  tho  oomp.ir.itor  in.lio.ito  .i  m.i  1  f  unot  ion .  The  .ithoi  h.isio 
principle  is  tho  tost  prinoipl.’.  Tho  .ihjoolivo  .if  tho  tost  moth.i.l  is  t  ti  onsuro  th.it  tho 
input  siun.ll  .ui.'.iu.it  o  ly  oxeroisos  .ill  .'omp.inont  s  in  tho  systom.  Tho  w.iy  .if  .ipplyinu  t  ho 
ti'st  prin.-ip.ll  .iot.-rminos  h.iw  l.in.i  it  t  .ikos  for  .i  m.i  1  f  un.-t  i.in  t  .i  h.'.-.im.i  ovi.l.-nt  .  Tlu- 
hi.ihi’r  th.i  t.’st  f  r.’.iu.'iioy  f.ir  .ill  pr.i.'ossinu  st.itos,  t  tu'  f.istor  is  tho  .l.-t  .-.-t  i.in  .n  .iny 
m.i  1  f  unot  ion .  Thoro  .m-  tw.i  h.isio  .ippni.i.-hos  t  .i  .ipplyinu  tin-  tost  principle.  .'no  is 
i  n.l.'p.'n.lon  t  .if  th.i  pr.n-oss  .in.l  its  st.itus  .in.l  th.-  .it  h.'r  is  .t.'p.'n.iont  .m  tlu-  st.itus  .it  t  ho 
pr.io.'ss.  In  t  h.'  l.ittor  o.is.-,  tho  tost  siun.il  is  simply  tho  unm.i.l  i  f  i.'.l  input  siun.il  .'n 
whi.'h  tlu-  syst.-m  is  w.irkin.i,  .i.-t  .-rmin.-.l  hy  tlu-  pr.i.-.-.ss  ,in.l  its  st.it  isti.-s  .in.l  n.-t  v't.-i’ i  .l.-.l 
hy  .iny  spi-.-ifi.-  .l.-t  .-.-t  i.ui  ilovio.-.  This  is  .l.-fiiu-.i  .is  p.issiv.-  t.iilur.-  .l.-t  .-.-t  i.ui ,  .is  .'pp.-s.-.l 

t  .1  .i.^^i^u' _ f.iilur.i  .h't  oot  i.in ,  wh.-n-  tlu-  input  siun.il  is  .loi  ivo.l  in.lop.-n.lont  ly  t.'i  t  lu- 

purp.'S.’  .'f  .1  i-.impl.'t.'  I'.imp.in.'n  t  ti-st.  In  tlu-  .i.-t  iv.-  .-.is.-,  I  h.-ro  .in-  p.-r  i.'.l  i  .'.i  1  tosts  .n 

.ill  st.iti's  I'f  I’.i.'h  systom  .-.impon.-nt  .  K.'r  s.imo  m.-th.i.ls  .'f  .i.-t  iv.-  l.iilur.-  .l.-t  .-.-t  i.-n  t  lu- 

t.'St  is  .-.irri.-.l  .'Ut  s  ir.ni  1 1  .in.'.uis  1  y  with  tlu-  syst.-m  pir.i.-.-ss  :  .-th.-rwis.-  pr.'.-.-ss  int.-trupts 
.ir.-  n.-.'.-ss.iry  f.-r  this  kin.)  .-f  t.-.st  in.i.  It  is  .'t  .ir.-.it  imp.irt  .in.-.-  t.-r  tlu-  .'v.-r.ill  int.-.i- 
rity,  th.it  t  h.-  f.iiluro  .l.-t.-otoi  or  voter  o.in  .li.iunoso  its  .-wn  t.iiluros,  to.'.  This  .-.in 
.-.isily  1-.-  .i.-h  1 1- v.-.l ,  wh.'n  .lot  iv.-  f.iilur.-  .U-t  .-.-t  i.m  is  us.-.l. 

Till-  .- v.i  1  u.it  i  I'll  .if  till-  .li'si.in  of  fli.iht  .-.mt  rol  syst.-ms  with  r.-sp.-.-t  t .'  tlu-  int.-.nity 
(i..-.  tlu-  r.-.Uuui.in.-y  .in.l  f.iilun-  .l.-t  .-.-t  i.'ii  .-on.-.-pt  ,  sul-i.-.-t  t .'  missi.-n  .-t  i  i.-i.-n.-y  .m.i 
.'.'St  1  is  v.-ry  .iiffioull  h.-o.ius.-  .'f  tlu-  .iro.it  v.ni.-ty  .'f  p.'ssihl.-  .ippro.iotu-s  .in.l  tlu-  .-.-m- 

pl.-xily  I'f  till-  systi-m.  Iti-l.it.-.i  inv.-st  iu.it  i.'ns  in.-lu.i.-  .i  .-.'mp.n  i  s.m  h.-tw.-.-n  tlu-  usu.il 

p.issiv.-  f.iiluii-  .i.-t  i-.-t  i.'n  m.-th.'iis  with  .-.imp.n  i  s.m  t.-stinu  .'t  r.-.iun.l.int  syst.-ms  .in.l  put.- 
,i.-liv.-  f.iiluri-  .l.-t  i-i't  i  I'll  ivith  v.-ry  hiuh  t.-st  f  n-.iu.-n.-y  .  ■  Tin-  pr.'h.ihi  1  1 1  y  .'t  t.-t.il  l.-ss 
h.iso.l  I'll  t.iilur.-  .l.-ti-otion  inform.it  i.'n ,  which  is  .it  t  .lin.ihl.-  .lurinu  the  syst.-m  .-p.-i  ,it  i.-n , 
w.is  us.'.l  .is  .in  oriti-ri.in  insti-.i.l  of  t  hi-  numh.-r  i'f  f.iilur.-s  t .-  ht-  surviv.-.i.  .-i.-m.'  .'t  t  h.- 
mi'r.-  i-omnxinly  us.-.l  t.-st  ti-ohni.pu's  .in-  hriofly  .'ut  I  in.-.l  h.-n-.  As  t.ir  .is  tlu-  s.-ns.-is  .ii.- 
oi'ii.-orn.-.i ,  I'nly  p.issiy.-  f.iilur.-  .i.-t  .-.-t  i.'n  is  p.'ssihl.',  I-.'. -.ms.-  tlu-  s.-nst'i  inputs  .-.inn.'t 


(1 

be  iiiflueuoo^l  by  the  control  system.  That  means,  comparison  testing  of  the  output  signals 
of  redundant  sensor  units  is  necessary. 

Where  the  degree  of  redundancy  is  not  sufficient  to  permit  voting,  the  designer  may  employ 
various  real-time  movleling  technigues,  as  already  mentioned  earlier.  These  techniques 
may  also  us<‘  the  fact  that  outputs  from  independent  sensors  are  compared.  For  example, 
the  output  of  an  acce  le  romet  e  r  displaced  from  tht“  aircraft  center  of  gravity  may  be  ustni 
to  v'tu’ck  t  hi’  output  of  a  r.ile  gyro. 

For  systems  in  which  signals  may  be  present  in  a  given  element  for  only  short  periods  of 
time,  si'parati’d  by  lonij,  ipiiesi'i’nt  peiioiis,  active  failure  detection  c.in  be  readily 
applied.  The  -e 1 f - t es t i ng  can  be  accomplished  through  stimulated  monitoring.  In  stimu¬ 
lated  monitoring,  a  small  tiacer  signal,  generally  with  zero  mean  value,  is  passed 
through  the  system  .ind  the  output.  The  stimulus  is  always  selected  to  have  negligible 
effect  on  systiun  performance. 

One  of  the  simplest  self-testing  methods  available  is  the  fixed-model  method,  in  which 
comp.irisons  are  m.ide  to  ensure  th.it  the  control  system's  signals  or  certain  carrier 
ch.u  act  i' r  ist  ics  (i.e.  pulse  frequency  and  shaping)  agree  with  expected  ones  within 
piescribevi  limits  foi  a  .liven  set  ot  conditions.  This  method  can  be  implemented 
either  in  (lar.iw.ire  or  in  software.  Fxamples  include  parity  chectis  and  memory-sum 
checks.  Ttiese  met  tiods  can  be  either  p.issive  or  active. 

For  systi’iiis  involving  communication  with  one  or  more  asynchronous  peripherals,  the 
"handshake"  metluid  is  often  used.  Handshake  commun icat ion  methods  require  that  the 
receiver  .letu’t.ites  .1  "ready"  sign.i!  before  the  sender  will  pass  signals.  Keceived 
si.in.ils  are  then  compute.!  with  tr.insmitted  signals  to  insure  that  they  are  identical. 

If  they  are  not,  ad.iition.il  transmission  may  be  attempte.i,  until  there  is  .1  match. 

Pr.icessoi  timin.i  can  be  use.!  in  a  very  simple  self-test  metiio.i  to  test  for  softw.are 
errors.  In  .1  properly  functionin.i  progt.im  a  clock  witiiin  t  tie  processor  is  reset  .it 
regular  intetv.ils.  An  early  or  Kite  teset  is  interprete.l  as  evidence  of  some  difficulty. 

For  .U.iital  control  systems  with  a  finite  an.l  known  set  of  .ligital  output  patterns,  self¬ 
test  circuits  can  be  used  to  .ietect  errors.  An  error  si.jn.al  is  .tener.tte.l  whenever  the 
output  .liffers  from  the  known  set  of  "good"  co.le  works. 

We  h.ive  briefly  touche.l  on  .1  few  of  the  more  common  self-testing  metho.ls  applic.able  to 
flight  control  systems  which  the  .lesigner  has  at  liis  .iisposal.  Constraints  imposed  by  the 
.letails  of  t  tie  system  being  .iesi.me.l  ilict.ate  to  .1  .jre.at  extent  which  self-test  method,  if 
■iny,  m.ikes  the  most  sense.  Clearly,  se  1  f- test  ing ,  when  used  in  conjunction  with  other 
methods  outlined  in  this  paper,  has  the  potential  for  sharply  increasing  the  reliability 
of  flight  control  systems. 


FHTURF  TRKNP.'t 

The  number  of  f 1 ight -cr i t ica 1  functions,  such  as  automatic  landing  and  active  control, 
now  performed  by  modern  flight  control  systems  are  expected  to  continue  to  increase  in 
the  future.  .As  we  move  into  the  era  of  integrated  control,  flight  control  is  rapidly 
becoming  .an  evpi.il  partner  with  aerodyn.im.ics ,  propulsion  .and  structures  in  the  aircraft 
design  process. This  integrated  view  of  airframe,  propulsion  and  subsystem  control 
functions  and  mechanizations,  illustrated  in  Figure  13,  will  be  a  principal  driver  in  the 
efficiency  and  economics  of  future  aircraft.  Major  improvements  in  aircraft  performance 
and  reductions  in  aircraft  weight  appear  possible  through  combinations  of  currently- 
independent  aircraft  functions  such  as  active  airframe  control,  propulsion  control, 
landing  loads  control,  and  fuel  management.  For  example,  the  integration  of  active  landing 
gear  and  maneuver  load  control  systems  can  appreciably  decrease  wing  structural  stiffness 
requirements  and  weight.  Similarly,  automatic  reconfiguration  of  control  system  gains 
in  the  event  of  an  engine  failure  can  allow  sizeable  reductions  in  required  control 
surface  .ireas.  Fxtensions  of  this  appro.ach  to  fully-integrated,  control-configured 
aircraft  could  provide  up  to  15<i  fuel  savings  and  structural  weight  reductions. 

In  addition,  integrated  control  will  permit  the  evolution  of  a  distributed  control 
architecture  which  utilizes  a  redundant  data  bus  and  standard  microprocessor  modules 
to  implement  all  aircraft  control  functions.  Such  standard  programmable  modules  would 
have  built-in  fault  tolerance,  multifunctional  capabilitv'.  and  standard  interfaces  to 
yield  significantly  fewer  control  system  elements  and  lower  system  costs.  For  example, 

.appl  ic.it  ion  of  this  design  approach  to  .1  11-737  transport  could  reduce  the  number  of 

stand.ird  boxes  from  the  64  now  used  to  20  standard  modules  with  .ittendant  weight  savings 

of  about  1000  lbs.  Potential  gains  in  reliability  could  be  even  more  important.  Prelim- 

in.iry  an.ilyses  in.lic.ite  th.it  integr.iteil  control  configurations  could  be  implemented  with 
twice  the  reliability,  half  the  m.iintenance  cost,  .ind  one-third  the  equipment  used  in 
present  flight  control  systems.  Projected  component  advances  will  further  incre.ise 
flight  control  system  performance  and  integrity.  Examples  of  these  include  solid-state 
or  ring  laser  rate  gyros,  very  high-density  integr.ited  circuits  and  mult  i-l.iyered 
p.ick.iging  techniques,  fiber  optics  d.it.i  links  with  their  inherent  potential  for  lightning 
survi  v.ibi  1  i  ty ,  .ind  light-weight  elect  rohydr.iul  ic  actuators.  With  the  flexibility 
afforded  by  digit.il  electronics  .ind  fly-by-wire  systems,  future  flight  control  design 
could  be  significantly  simplified  and  specific  systems  could  be  readily  mechanized 
through  the  assembly  of  proven  sensor,  processor,  and  actuator  modules  using  the  latest 
technology. 


coNcmniNC  rkmarks 


Flight  control  systems  toilay  stand  at  the  threshold  of  a  new  aqe  -  in  terms  of  both 
utilization  and  mechanization.  The  first  steps,  fly-by-wire  and  active  control,  have 
already  been  taken  in  operational  military  aircraft  and  are  beina  desianed  into  the  civil 
transports  now  on  the  drawina  boards.  Heyond  that,  the  revolution  in  microelectronics  and 
related  technoloaies  offers  the  promise  of  total ly-int earated  control  functions  and  simpli¬ 
fied  system  conf iaurat ions  which  take  maximum  advantage  of  standardized  modules  to  increase 
reliability  while  reducina  systems  development  and  maintenance  costs. 

The  integrity  of  flight  control  has  been,  and  will  continue  to  be,  the  key  factor  in  the 
acceptance  of  these  concepts  for  operational  application.  While  considerable  progress 
has  been  made  in  this  art>a,  major  additional  gains  in  r 'liable  design  approaches  and 
implementations  are  essential  if  flight  control  systems  are  to  reap  their  full  benefits 
during  the  next  decade. 


RFFFRKNCKS 

1.  McRuer  P.  :  "A  Historical  Perspective  for  Advances  in  Flight  Control  .Systems." 
AC.ARDograph  AG-224  ,  May  1977 

2.  Osder,  S.S.:  Chrono log ica 1  Overview  of  Past  Avionic  Flight  Control  System  Reliability 
in  Military  and  Conmercial  Operations."  AGARDograph  AG-224,  May  1977 

3.  Bird,  G.T.  and  Bird,  G.R.:  "Fxperienced  Inflight  Avionics  Malfunctions."  AGARD 
LS-81,  April  1976 

4.  Ramage,  James  K.  and  Morris,  James  W. :  "Design  Considerations  for  Reliable  Fly-Hy- 
Wire  Control."  Paper  presented  at  the  AGARP  Symposium  on  Stability  and  Control,  Ottawa, 
Canada,  Septemtier  19  78 

5.  Szalai,  K.J.  et.al.:  "Design  and  Test  Kxperience  with  a  Triply  Redundant  Digital 
Fly-By-Wire  Control  System."  AGARDograph  AG-224,  May  1977 

6.  Robinson,  P.  ;  Mea<iows,  I.;  and  Copage  C.M.:  "A  High  Reliability,  High- Integrity 
Flight  Control  System."  .AGARDograph  AG-224  ,  May  1977 

7.  Potter,  J.  and  Suman,  M. :  "Thresholdless  Redundancy  Management  with  Arrays  of  Skewed 
Instruments."  .AG.ARDograph  AC.-224  ,  May  1977 

8.  Task-Oriented  Flight  Control  System.  AGARD  -  I,S-89,  1977 

9.  Murray,  N.D.;  Hopkins,  A. I..;  and  Wensley,  J.H.;  "Highly  Reliable  Mul  t  i -processors .  " 
AGARDograph  AG-224,  May  1977 

10.  Onken ,  R. :  "System  Integrity  by  Use  of  Sel fdiagnosing  Failure  Detection." 

AGARDograph  AG-224,  May  1977 

11.  Early,  B, :  "Objectives  for  the  Design  of  Improved  Actuation  Systems."  AGARDograph 
AG-224,  May  1977 

12.  Post,  K.H.:  "Stiuly  of  F  lect  rohydrau  1  ic  Control  Valves  with  Fluidic  Ball  Elements." 

FSRO  TT-1 12 ,  1974 

13.  Doetsch,  K.H.:  "The  proper  Symbiosis  of  the  Human  Pilot  and  Automatic  Control 
System."  Aeronautical  Journal,  1975 

14.  .Shooman,  M.I,.;  ".Softw.ire  Re  1  i.abi  1  i  t  y  :  Analysis  .and  Prediction."  .AGARDograph 
AG- 22 4,  May  1977 

15.  .Sokol,  O.M.:  "Cent  r.tl  ly-Des  igned  D.it.i  Systems."  1975 

16.  Mills,  11. D.:  ".Structured  Programming."  Proceedings  of  Faul  t -Tol  er.tnt  Systems 
Workshop,  Rese.arch  Tri.angle  Institute,  J.anuary  1976 

17.  Belcher,  G.  and  Fgan  T.:  Software  Integrity  through  Visibility."  .AG.ARDogi  aph 
AG- 2 24  ,  .May  19  77 

18.  Conn,  R.B.;  Merryman,  P.M.:  and  Whitelaw,  K.I..:  "CAST:  A  Comp  I  ement ,)  i  y  Analytic- 
Simulative  Techniviue  for  Modeling  Complex,  Faul  t -Tolerant  Conput  ing  Systems."  Ait  ARlX'g  raph 
AG- 224,  May  1977 

19.  Raytheon  Co.:  "An  Engineering  Treatise  on  the  C.ARF-11  D\ial  Mode  and  Coverage  Models. 
NASA  CR- 144994.  April  1976 

20.  AIA.A  Professional  Seminars:  "Software  Management:  Ih'finse  Systt'ras  and  iMher  Fedetal 

Program,  Parts  I  .tnd  11."  1976  '1977 

21.  Bjurman,  B.F..  et.al.:  "Airborne  .Advanced  Reconf igurable  Computer  System." 

NASA  CR-1 45024,  August  1976 


K 

22.  Fisher,  F.A.:  "Lightning  Considerations  on  the  NASA  F-8  Phase  II  Digital  Fly-By- 
Wire  System."  General  Electric  SRD-75-074,  June  1975 

23.  GSFC  Quality  Assurance  Brief.  QAB  No.  72-10,  October  1972 

24.  Schambeck,  W. :  "Reliability  Testing  of  Electronic  Parts."  AGARD-LS-81,  April  1976 

25.  Proceedings  of  AGARD-Conference  on  "Impact  of  Active  Controls  on  Airplane  Designs." 
AGARD  CP-157,  1975 

26.  A  Study  of  Standardization  Methods  for  Digital  Guidance  and  Control  Systems. 

AGARD,  AR-90 

27.  Arnold,  James  I.:  "Future  Trends  in  Highly  Reliable  Systems,  AGARDograph  AG-224, 
May  1977 


RELATIVE  COMPLEXITY 


iB^747 


2STO60 


DUAL-DUAL 


TRIPLEX 


MISSILE 

AUTOPILOT 

ASSEMBLY 


B-1FLIGHT 

CONTROL 

MODULE 


Miniaturization  of  representative  flight  control  hardware 


SINGLE 

CHANNEL 


SINGLE 

CHANNEL 

WITH 

SAFETY 

MONITOR 


WITH 

SOPHISTICATED 

SAFETY 

MONITOR 


DUAL 

FAIL 

PASSIVE 


FAIL- 

OPERATIVE 


FAIL 

OPERATIVE 

DOUBLE 

FAULT 

CORRECTING 


Fig.2  Effect  of  redundancy  on  control  complexity 


FAILURE  PROBABILITY  FOR  A  10  HR  MISSION 


NASA  »'H;‘  KI  73-1 


I  \  pKMl  thj:lu  SNSUMM 


i: 


BASIC  COMPONENT 


PROTECTED  AGAINST 
OPEN  IN  EITHER 
OlOOE 


PROTECTED  AGAINST 
SHORT  IN  EITHER 
DIODE 


PROTECTED  AGAINST 
OPEN  OR  SHORT  IN 
EITHER  DIODE 


Keprcsentative  TCilumlani.-y  configurations 
for  component  failure  protection 


10 


1955  ,977 


YEAR 


1985 


l  ig.'^  I lani ware  software  cost  relationsliip 


PERCENTAGE  OF  CURRENT  EXCEEDING 


14 


I'iK.IH  Dislril’iilion  ot  ..•uriviil  .iniplilikles  in  oablo 
Iniiullo  lor  .lO.lHH)  ainporo  liithliiitig  strike 


1  ig.l  1  I'lrcmi  lailiires  vs  time 


RhmRT  IKH'IIMFNTATION  PAi;i  1 


1 .  ReeipieiU's  Reference 

2.0rigiiMlur's  Reference 

.V  Further  Reference 

1 

4. Security  C'lassincatiun 
of  Document 

AC.ARD-AR-l.'O 

1 

ISBN ‘>:-^3.‘i-132d-c) 

1 

CNCIASSIIIID 

5 Origiiiaior  Advisory  Croup  for  Aerospace  Research  aud  Hevelopment 


North  Atlantic  t  reaty  (.trgani/ation 
’  rue  Ancelle,  Neuilly  sur  Seine,  I'rance 

6.  Title 

IN  l  l  tJKi  rV  IN  1  lUTRCNlt'  I  I  ICllT  C  ON  I  ROl  SYSVl  MS 

7  ,  Presented  at 


S.  Aulhoitsi/EditoiCsi 

P.R.kur/hals* 

R.c>nken+ 

10.  Author 's/Tdilur's  Address  •director.  Cuidance  ('ontriil  and  Information 
Systems  l>ivision.  National  .Aeronautics  and  Space  Administration. 

1  Washington,  IX'  2054(>.  US.A 

!  f  I'H'Vl  R.  Institut  fiir  I'lugfuhrung,  I'lugliafen,  O-SSOO  Braunschweig 
l2.0isiribulion  Statement  j  Jocument  is  distrihuted  in  accordance  with  .AC.ARH 
policies  and  regulations,  which  ate  outlined  on  the 
Outside  Back  ('overs  of  all  .AC.ARO  publications. 

1 .1 .  Key  words/ IVseriptors 

Flight  contrvsl  Airborne  equipment 

Avionics  Man-machine  systems 

Reliability  (electronicsi  Solid  state  devices 

IVsign  criteria 

14.  Abstract 


9.  Date 
July 

1 1 .  Pages 

:o 


W  ith  the  incn.'ased  use  of  electronic  tlight-control  systems  for  better  aircraft  performance 
and  cost-effectiveness,  development  and  test  techniques  which  can  insun.*  the  integrity  of 
such  systems  have  become  critically  important.  Rapid  advances  in  solid-state  electronics 
have  permitted  a  hundred-fold  decrease  in  control  computer  size,  pvvwer  and  cost  over  the 
past  two  decades.  Designers  have  capitalized  on  these  gains  primarily  by  incorporating 
additional  control  functions  to  improve  aircraft  capabilities.  Resulting  control  sv  stems 
have  become  very  complex  and  reliability  requirements  have  mushroomed.  I  liis  paper 
summarizes  the  evolution  of  these  requirements,  outlines  the  current  status  of  llight 
control  a’liability,  and  highlights  promising  methods  of  achieving  integrity  in  future  flight 
control  systems. 

This  Advisory  Report  was  sponsoreil  b\  the  Cuidance  and  Control  Panel  of  AC.ARD. 


AfjAKIi  Advisory  Report  So.  1 36  j  Ari.AKlJ-AF-l  36  A^iAHli  Advisoiy  KcFK.>n  No.  1 36  ;  Af/.AKf.^-AR-1 36 


NATO  ^  OTAN 

7  RUE  ANCELLE  •  92200  NEUILLY-SUR-SEINE 
FRANCE 


DISTRIBUTION  OF  UNCLASSIFIED 
AGARD  PUBLICATIONS 


Telephone  745.08.10  -  Telex  610176 


ACjARD  does  NOT  hold  stocks  of  AGARD  publications  at  the  above  address  for  general  distribution.  Initial  distribution  of  AGARD 
pub  ications  is  made  to  AGARD  Member  Nations  through  the  following  National  Distribution  Centres.  Further  copies  are  sometimes 
available  from  these  Centres,  but  if  not  may  be  purchased  in  Microfiche  or  Photocopy  form  from  the  Purchase  Agencies  listed  below. 


NATIONAL  DISTRIBUTION  CENTRES 


BELGIUM 

Coordonnateur  AGARD  -  VSL 
Etat-Major  de  la  Force  Aerienne 
Quartier  Reine  Elisabeth 
Rue  d'Evere,  1 140  Bruxelles 


ITALY 

Aeronautics  Militare 

Ufficio  del  Delegato  Nazionale  all’AGARD 
3,  Piazzale  Adenauer 
Roma/ EUR 


CANADA 

Defence  Scientific  Information  Service 
Department  of  National  Defence 
Ottawa,  Ontario  K1 A  OZ2 

DENMARK 

Danish  Defence  Research  Board 
Qsterbrogades  Kaserne 
Copenhagen  Q 

FRANCE 

O.N.E.R.A.  (Direction) 

29  Avenue  de  la  Division  Leclerc 
92  Chatillon  sous  Bagneux 


LUXEMBOURG 
See  Belgium 

NETHERLANDS 

Netherlands  Delegation  to  AGARD 
National  Aerospace  Laboratory,  NLR 
P.O.  Box  126 
Delft 

NORWAY 

Norwegian  Defence  Research  Establishment 
Main  Library 
P.O.  Box  25 
N-2(X)7  KjeUer 


GERMANY 

Zentralstelle  fiir  Luft-  und  Raumfahrt- 
dokumentation  und  -information 
c/o  Fachinformationszentrum  Energie, 

Physik,  Mathematik  GmbH 

Kernforschungszentrum 

7514  Eggenstein-Leopoldshafen  2 

GREECE 

Hellenic  Air  Force  General  Staff 
Research  and  Development  Directorate 
Holargos,  Athens.  Greece 

ICELAND 

Director  of  Aviation 
c/o  Flugrad 
Reykjavik 

UNITED  STATES 


PORTUGAL 

DirecfSo  do  Servifo  de  Material 

da  Forca  Aerea 

Rua  da  Escola  Politecnica  42 

Lisboa 

Attn:  AGARD  National  Delegate 
TURKEY 

Department  of  Research  and  Development  (ARGE) 
Ministry  of  National  Defence,  Ankara 

UNITED  KINGDOM 

Defence  Research  Information  Centre 
Station  Square  House 
St.  Maty  Cray 
Orpington,  Kent  BR5  3RE 


National  Aeronautics  and  Space  Administration  (NASA) 

Langley  Field.  Virginia  23365 

Attn;  Report  Distribution  and  Storage  Unit 


THE  UNITED  STATES  NATIONAL  DISTRIBUTION  CENTRE  (NASA)  DOES  NOT  HOLD 
STOCKS  OF  AGARD  PUBLICATIONS,  AND  APPLICATIONS  FOR  COPIES  SHOULD  BE  MADE 
DIRECT  TO  THE  NATIONAL  TECHNICAL  INFORMATION  SERVICE  (NTIS)  AT  THE  ADDRESS  BELOW 


PURCHASE  AGENCIES 


Microfiche  or  Photocopy 
National  Technical 
Information  Service  (NTIS) 
5285  Port  Royal  Road 
Springfield 
Virginia  22I6I,  USA 


Microfiche 

Space  Documentation  Service 
European  Space  Agency 
10.  rue  Mario  Nikis 
75015  Paris.  France 


Microfiche 
Technology  Reports 
Centre  (DTI) 

Station  Square  House 
St.  Mary  Cray 
Orpington.  Kent  BR5  3RF 
England 


Requests  for  microfiche  or  photocopies  of  AGARD  documents  should  include  the  AGARD  serial  number,  title,  author  or  editor  and 
publication  date.  Requests  to  NTIS  should  include  the  NASA  accession  report  number.  Full  bibliographical  references  and  abstracts 

of  AGARD  publications  are  given  in  the  following  journals: 


Scientific  and  Technical  Aerospace  Reports  (STAR) 
published  by  NASA  Scientific  and  Technical 
Information  Facility 
Post  Office  Box  8757 

Baltimore/Waihington  International  Airport 
Maryland  2 1 240.  USA 


Government  Reports  Announcements  (GRA) 
published  by  the  National  Technical 
Information  Services.  Springfield 
Virginia  22161,  USA 


Printed  by  Technical  Editing  and  Reproduction  Ltd 
Harford  Home.  7-  9  Charlotte  St,  London  WIP IHD 


ISBN  92-835-1329-0 


